Lawmakers spar over how much to punish Chinese firms

Rep. Mike Conaway's measure currently has 15 cosponsors, most of whom sit on the Intelligence or Armed Services committees, or both. Three were added in the past few days.

Rep. Mike Conaway, R-Texas, is adding cosponsors to his bill banning Chinese telecom companies Huawei and ZTE from government contracts due to cybersecurity concerns. But it's unclear whether supporters will try to move the measure through the normal committee process, or perhaps tack it to a must-pass spending bill later in the year.

The bill has also triggered debate over whether it would actually improve cybersecurity and whether it's being pursued for economic as well as national security reasons.

H.R. 4747 was referred to the House Oversight and Government Reform Committee, which has yet to announce plans for hearings or a markup. Conaway's office said there was nothing to announce yet on next steps for the bill, which was introduced in January. Conaway is an influential member of the House Republican Conference, and sits on the Intelligence Committee and chairs the Agriculture panel.

Sens. Marco Rubio, R-Fla., and Tom Cotton, R-Ark., introduced companion legislation on Feb. 7. Both are members of the Intelligence Committee, and Cotton also serves on Armed Services.

The two companies do not have contracts with the federal government, but such a legal ban could deliver a heavy reputational blow. Inexpensive phones and telecom equipment such as routers from the companies are increasingly popular with smaller U.S. companies and individual consumers, industry sources say.

AT&T and Verizon recently dropped plans to offer Huawei's new smartphone, reportedly under pressure from lawmakers and U.S. officials.

“Chinese commercial technology is a vehicle for the Chinese government to spy on United States federal agencies, posing a severe national security threat,” Conaway said in a statement about his bill.

Some observers questioned whether blacklisting the companies would effectively address the cybersecurity concerns.

"My view, then and now, is it doesn't make sense to make procurement decisions based on the headquarters location of the company whose name is on the box,” said Bruce McConnell, formerly the top cyber official at the Department of Homeland Security and now global vice president at the EastWest Institute. “All of these products are from the global supply chain. All come from the same place as Huawei."

McConnell said: "This kind of policy is bad for business. It doesn't do anything for cybersecurity, and other countries will discriminate against U.S. products. You end up limiting our ability to sell American products into those markets."

But former Rep. Frank Wolf, R-Va., who as a House Appropriations subcommittee chairman pioneered efforts to scrutinize the cybersecurity of Chinese tech products, praised the legislation and called Conaway a “well-respected member of the Intelligence Committee.”

“I think it's a good idea,” Wolf said. “This is a big problem — the Chinese are spying on us, and the technology can be embedded in their products.”

The Conaway measure has 15 cosponsors, most of whom sit on the Intelligence or Armed Services committees, or both. Three were added in the past few days.

The bill's one Democratic cosponsor, Rep. Dutch Ruppersberger of Maryland, serves on the Appropriations Committee. Ruppersberger is a former top Democrat on the Intelligence Committee who has long taken an interest in cybersecurity issues around Chinese products.

Some sources have suggested that the language in H.R. 4747 eventually could be folded into an appropriations measure rather than advance as standalone legislation.

Ruppersberger's office did not comment.

No new information has been offered publicly on security threats related to the Chinese companies. The Conaway legislative text refers to a February 2015 FBI “intelligence note” as the most recent documentation of a potential security issue involving Huawei, along with a 2012 House Intelligence Committee report.

The bill highlights a 2017 guilty plea by ZTE “to conspiring to violate the International Emergency Economic Powers Act by illegally shipping U.S.-origin items to Iran.”

Both companies have rejected the allegations that their products are a security risk.

Cybersecurity practitioners on the industry side suggested there haven't been any new security alarms related to the companies.

“There have been no new 'red flags' [on Huawei and ZTE] but the assessment [of a potential risk] hasn't changed,” one private-sector cybersecurity source said, referring to concerns raised in 2011 and 2012 government reports suggesting links between the companies and the Chinese government, for example.

“What has changed,” the industry source said of Huawei and ZTE, “is now they are beginning to eat market share and getting a better reputation, and that makes it enticing to go after them.”

The source said there “are legitimate concerns” to consider about the products, but also noted that other governments, including the United Kingdom, have come to “trust” the Huawei products.

In the UK, the security of Huawei products is assessed under a special arrangement between the British government and the company.

“There is no there there,” a Huawei representative said, noting that many brands of smartphones are made in China. “Everyone's building in China. This is a political game, nothing more.” The source said “Huawei is not owned, directed, or subsidized” by the Chinese government.

The industry security source said the government can have legitimate concerns about the company, but also noted the wide-ranging ramifications of publicly banning a company's products.

“It may be inappropriate to tell a private company that they can't use a cheaper alternative,” the source said, suggesting a government ban would have such an effect on the private market.

The next steps on the Conaway bill may begin coming into focus during the current congressional work period.